Location Aware Security System

ABSTRACT

Methods, computing devices, and systems that dynamically determine whether a request is authorized or fraudulent are described herein. A computing device may receive a request from a communication device, and a geographical location of the communication device may be determined. User information may be requested, and based on the information and the geographical location of the communication device, a risk value can be calculated. A determination of whether to honor the request may be based on the subscriber risk value.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority to U.S.application Ser. No. 14/201,237, which was filed Mar. 7, 2014, entitled“Location Aware Security System”, now allowed, which application isincorporated herein by reference in its entirety.

BACKGROUND

In providing services, a provider may implement systems to detect fraudand/or abuse by users. The systems may be easy to manipulate, forexample, to gain access or to fraudulently become an authorized user.

Additionally, since service requests may be requested remotely such asvia telephone or over a network, real-time information is needed to makea determination of whether the user is authorized to access or use aspecific service before authorizing activation.

Thus, there exists a need for a system that is more difficult tomanipulate and provides real-time decision making information as towhether to authorize a user for a requested service.

SUMMARY

The following presents a simplified summary in order to provide a basicunderstanding of some aspects of the disclosure. The summary is not anextensive overview of the disclosure. It is neither intended to identifykey or critical elements of the disclosure nor to delineate the scope ofthe disclosure. The following summary merely presents some concepts ofthe disclosure in a simplified form as a prelude to the descriptionbelow.

Some aspects of this disclosure relate to methods, systems and computingdevices that enable a proactive determination of whether an activationrequest is authorized or fraudulent.

In some aspects, a determination may be made as to whether to authorizeor activate a service or device in response to a risk value (associatedwith a user (e.g., subscriber) or a device). The user risk value can becalculated based on a geographical location of the communication device.The geographical location of the communication device may be determinedbased at least in part on the activation request, communication deviceinformation, and/or user information. Depending on the subscriber riskvalue or a risk level, a determination can be made as to whetherprovisioning or activation should be enabled. If activation is notenabled, an alert about a potential fraud or abuse may be transmitted toa security terminal, monitor, or associated security personnel.

In another aspect, the geographical location of the communication devicemay be determined based on a network connection of the communicationdevice and an analysis of the signal transmitted from the communicationdevice. The analysis of the signal transmitted from the communicationdevice may be a comparison of radio frequency signals from thecommunication device and a communication device located in a neighboringpremises.

In some aspects, the user risk value may be calculated based on variousprimary components. Examples of primary components include a locationcomponent, a device component, a network component, and a financecomponent. A correlation between the user risk value and a predeterminedrisk value may be used to select a risk level. The user risk value andthe predetermined risk value may be presented in the form of a score ora graphical pattern.

The methods, systems and computing devices described herein may beincluded as part of a network, such as an information access network ora content (e.g., television) distribution network.

The details of these and other embodiments of the present disclosure areset forth in the accompanying drawings and the description below. Otherfeatures and advantages will be apparent from the description anddrawings, and from the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is illustrated by way of example and not limitedin the accompanying figures in which like reference numerals indicatesimilar elements and in which:

FIG. 1 illustrates an example network according to one or more aspectsdescribed herein.

FIG. 2 illustrates an example computing device on which the variouselements described herein may be implemented according to one or moreaspects described herein.

FIG. 3 illustrates an overview of an example process of determiningwhether to enable a requested activation.

FIG. 4 illustrates an example process flow diagram of determiningwhether to enable a requested activation between network components

FIG. 5 illustrates an example of a process of determining acommunication device location.

FIG. 6 illustrates an example of a process of selecting an estimationresult level.

FIG. 7 illustrates an example of applying the exemplary process of FIG.6 to determining a risk level.

FIG. 8 illustrates an example chart of available options based on adetermined risk level.

FIG. 9 provides an example of a fraud check screen.

FIG. 10 provides an example of a subscriber risk pattern.

DETAILED DESCRIPTION

In the following description of various illustrative embodiments,reference is made to the accompanying drawings, which form a parthereof, and in which is shown, by way of illustration, variousembodiments in which aspects of the disclosure may be practiced. It isto be understood that other embodiments may be utilized, and structuraland functional modifications may be made, without departing from thescope of the present disclosure.

FIG. 1 illustrates an example network 100 on which many of the variousfeatures described herein may be implemented. Network 100 may be anytype of information distribution network, such as satellite, telephone,cellular, wireless, optical fiber network, coaxial cable network, and/ora hybrid fiber/coax (HFC) distribution network. Additionally, network100 may be a combination of networks. Network 100 may use a series ofinterconnected communication links 101 (e.g., coaxial cables, opticalfibers, wireless, etc.) and/or some other network 117 (e.g., theInternet) to connect an end-point to a local office or headend 103.Example end-points are illustrated in FIG. 1 as premises 102 (e.g.,businesses, homes, consumer dwellings, etc.). The local office 103(e.g., a data processing and/or distribution facility) may transmitinformation signals onto the links 101, and each premises 102 may have areceiver used to receive and process those signals.

There may be one link 101 originating from the local office 103, and itmay be split a number of times to distribute the signal to various homes102 in the vicinity (which may be many miles) of the local office 103.The links 101 may include components not illustrated, such as splitters,filters, amplifiers, etc. to help convey the signal clearly, but ingeneral each split introduces a bit of signal degradation. Portions ofthe links 101 may also be implemented with fiber-optic cable, whileother portions may be implemented with coaxial cable, other links, orwireless communication paths.

The local office 103 may include a termination system (TS) 104, such asa cable modem termination system (CMTS) in a HFC network, which may be acomputing device configured to manage communications between devices onthe network of links 101 and backend devices such as servers 105-107 (tobe discussed further below). The TS may be as specified in a standard,such as the Data Over Cable Service Interface Specification (DOCSIS)standard, published by Cable Television Laboratories, Inc. (a.k.a.CableLabs), or it may be a similar or modified device instead. The TSmay be configured to place data on one or more downstream frequencies tobe received by modems or other user devices at the various premises 102,and to receive upstream communications from those modems on one or moreupstream frequencies. The local office 103 may also include one or morenetwork interfaces 108, which can permit the local office 103 tocommunicate with various other external networks 109. These networks 109may include, for example, networks of Internet devices, telephonenetworks, cellular telephone networks, fiber optic networks, localwireless networks (e.g., WiMAX), satellite networks, and any otherdesired network, and the interface 108 may include the correspondingcircuitry needed to communicate on the network 109, and to other deviceson the network such as a cellular telephone network and itscorresponding cell phones.

As noted above, the local office 103 may include a variety of servers105-107 that may be configured to perform various functions. Forexample, the local office 103 may include a push notification server105. The push notification server 105 may generate push notifications todeliver data and/or commands to the various homes 102 in the network (ormore specifically, to the devices in the homes 102 that are configuredto detect such notifications). The local office 103 may also include acontent server 106. The content server 106 may be one or more computingdevices that are configured to provide content to users in the homes.This content may be, for example, video on demand movies, televisionprograms, songs, text listings, etc. The content server 106 may includesoftware to validate user identities and entitlements, locate andretrieve requested content, encrypt the content, and initiate delivery(e.g., streaming) of the content to the requesting user and/or device.

The local office 103 may also include one or more application servers107. An application server 107 may be a computing device configured tooffer any desired service, and may run various languages and operatingsystems (e.g., servlets and JSP pages running on Tomcat/MySQL, OSX, BSD,Ubuntu, Redhat, HTMLS, JavaScript, AJAX and COMET). For example, anapplication server may be responsible for collecting television programlistings information and generating a data download for electronicprogram guide listings. Another application server may be responsiblefor monitoring user viewing habits and collecting that information foruse in selecting advertisements. Another application server may beresponsible for formatting and inserting advertisements in a videostream being transmitted to the premises 102. Another application servermay be responsible for formatting and providing data for an interactiveservice being transmitted to the premises 102 (e.g., chat messagingservice, etc.).

The local office 103 may further include a security server 120, alocation server 122, an information server 124, and an activation server126. A security terminal 128 may be included at the local office 103 orat a remote location connected to the local office through a network asshown in FIG. 1.

An example premises 102 a may include an interface 120. The interface120 may comprise a modem 110, which may include transmitters andreceivers used to communicate on the links 101 and with the local office103. The modem 110 may be, for example, a coaxial cable modem (forcoaxial cable links 101), a fiber interface node (for fiber optic links101), or any other desired device offering similar functionality. Theinterface 120 may also comprise a gateway interface device 111 orgateway. The modem 110 may be connected to, or be a part of, the gatewayinterface device 111. The gateway interface device 111 may be acomputing device that communicates with the modem 110 to allow one ormore other devices in the premises to communicate with the local office103 and other devices beyond the local office. The gateway 111 maycomprise a set-top box (STB), digital video recorder (DVR), computerserver, or any other desired computing device. The gateway 111 may alsoinclude (not shown) local network interfaces to provide communicationsignals to devices in the premises, such as display devices 112 (e.g.,televisions), additional STBs 113, personal computers 114, laptopcomputers 115, wireless devices 116 (wireless laptops and netbooks,mobile phones, mobile televisions, personal digital assistants (PDA),etc.), and any other desired devices. Examples of the local networkinterfaces include Multimedia Over Coax Alliance (MoCA) interfaces,Ethernet interfaces, universal serial bus (USB) interfaces, wirelessinterfaces (e.g., IEEE 802.11), Bluetooth interfaces, and others.

FIG. 2 illustrates an example computing device on which various elementsdescribed herein can be implemented. The computing device 200 mayinclude one or more processors 201, which may execute instructions of acomputer program to perform any of the features described herein. Theinstructions may be stored in any type of computer-readable medium ormemory, to configure the operation of the processor 201. For example,instructions may be stored in a read-only memory (ROM) 202, randomaccess memory (RAM) 203, removable media 204, such as a Universal SerialBus (USB) drive, compact disk (CD) or digital versatile disk (DVD),floppy disk drive, or any other desired electronic storage medium.Instructions may also be stored in an attached (or internal) hard drive205. The computing device 200 may include one or more output devices,such as a display 206 (or an external television), and may include oneor more output device controllers 207, such as a video processor. Theremay also be one or more user input devices 208, such as a remotecontrol, keyboard, mouse, touch screen, microphone, etc. The computingdevice 200 may also include one or more network interfaces, such asinput/output circuits 209 (such as a network card) to communicate withan external network 210. The network interface may be a wired interface,wireless interface, or a combination of the two. In some embodiments,the interface 209 may include a modem (e.g., a cable modem), and network210 may include the communication links and/or networks illustrated inFIG. 1, or any other desired network.

The FIG. 2 example is an illustrative hardware configuration.Modifications may be made to add, remove, combine, divide, etc.components as desired. Additionally, the components illustrated may beimplemented using basic computing devices and components, and the samecomponents (e.g., processor 201, storage 202, user interface, etc.) maybe used to implement any of the other computing devices and componentsdescribed herein.

One or more aspects of the disclosure may be embodied in computer-usabledata and/or computer-executable instructions, such as in one or moreprogram modules, executed by one or more computers or other devices.Generally, program modules include routines, programs, objects,components, data structures, etc. that perform particular tasks orimplement particular abstract data types when executed by a processor ina computer or other data processing device. The computer executableinstructions may be stored on one or more computer readable media suchas a hard disk, optical disk, removable storage media, solid statememory, RAM, etc. The functionality of the program modules may becombined or distributed as desired in various embodiments. In addition,the functionality may be embodied in whole or in part in firmware orhardware equivalents such as integrated circuits, field programmablegate arrays (FPGA), application-specific integrated circuits (ASIC), andthe like. Particular data structures may be used to more effectivelyimplement one or more aspects of the invention, and such data structuresare contemplated within the scope of computer executable instructionsand computer-usable data described herein.

FIG. 3 illustrates an example of a method of dynamically determining thelikelihood that a requested activation of a service or device may be anauthorized use. At step 302, a query or request may be received from acommunication device such as a modem 110, gateway 111, display device112, set top box 113, personal computer 114, laptop computer 115, orwireless device 116. The communication device may be located in apremises 102 a.

The query or request can be a device or service activation request or aprovisioning request. The query or request may be directed to anactivation server and intercepted by a security server or a routingserver. A routing server may be located in a network with a plurality ofsecurity servers. The routing server may include an interceptor whichintercepts the activation query or request. Based on the geographicallocation of the incoming request or the current load of the securityservers, the routing server may decide the security server to which therequest should be sent. This routing functionality may also be includedin the security server.

At step 304, the physical or geographical location of the communicationdevice may be determined based on the network connection of thecommunication device and characteristics of the signal transmitted bythe communication device by a location server. At step 306, a securityserver may calculate a user or subscriber risk value which can be usedto proactively determine whether the activation or provisioning query orrequest is a legitimate query or request based on information associatedwith the subscriber and/or the communication device. The locationserver, routing server, and security server may be one of theapplication servers 107 at the local office 103. Depending on thecalculated subscriber risk value, the security server can determinewhether to enable activation at step 308. If the subscriber risk valuemeets an authorized activation level requirement, activation may beenabled at step 310. If the subscriber risk value does not meet anauthorized activation level requirement, then security measures may beapplied at step 312.

FIG. 4 is an exemplary process flow between network components indetermining whether the activation may be enabled. A user at a premises102 a may connect a communication device 425 such as a modem 110 to anetwork through, for example, a coaxial cable outlet and initiateactivation of the communication device 425 on the network at step 402resulting in a transmission of an activation or provisioning query orrequest directed to an activation server at 404. The activation query orrequest 402 may be intercepted by a security server 120 and/or a routingserver. In response to the activation query or request 402, the securityserver 120 may request location information of the modem 110 from alocation server 122 at 406. The location server 124 can determine thelocation of the modem 110 using different types of information whichwill be described in more detail with respect to FIG. 5 and returnlocation data to the security server at 408.

The security server 120 can also request a variety of information aboutthe user based on location and account information at 410 from a varietyof servers or computing devices in the network. This information may bereturned to the security server 120 at 412. Based on a variety offactors and information, the security server 120 can calculate asubscriber risk value at 414. Based on the calculated subscriber riskvalue, the security server can determine whether the communicationdevice or service may be enabled for activation or whether provisioningof service may be enabled at 416.

If the security server 120 has determined that the requested service orthe communication device may be activated, the activation request may bereleased, transmitted, or forwarded to an activation server 126 by thesecurity server 120 at 418. The user may also be notified of the pendingactivation at 420. If the security server 120 determines that thecalculated subscriber risk value indicates potential unauthorizedactivation, the security server may alert security personnel through asecurity or user terminal 128 of the potentially fraudulent use at 422and/or request that the user provide additional information to theservice provider at 424 which may be used to recalculate or update thesubscriber risk value.

The servers (e.g., security server, location server, information server,and activation server) shown in FIG. 4 may be located in a variety oflocations in the service provider's network. For example, the serversmay be located at the local office 103.

The method described herein includes a location determination featureand a user risk calculation feature. The location determination featurewill be described in detail with respect to FIG. 5 and the subscriberrisk calculation feature will be described with respect to FIGS. 6-7.

FIG. 5 shows a process of location determination which may be completedusing a location server 122. At step 502, the communication device isidentified and information about the device, for example, a deviceidentifier or device type is obtained. The server can also identify towhich local office 103 the communication device is connected at step 504by determining the TS 104. The TS 104 can be determined from othernetwork components, and from a network communication monitor, the localoffice 103 can be determined. At step 506, once the local office 103 isdetermined, a group of premises 102 in which the communication devicemay be located can be determined since local offices typically servepremises 102 in a specific area such as a certain neighborhood.

At step 508, the group of premises 102 can be further narrowed down byapplying filters to remove premises in which it is unlikely that thecommunication device is located to obtain more relevant premises. Forexample, from the type of device being activated, it can be determinedpotentially what type of service is being activated. A modem 110 mayindicate the desire to activate internet service and a set top box mayindicate a desire to activate a television subscription service. Bydetermining which premises already have activated internet service orbased on account information for the premises, premises which alreadyhave activated internet service can be filtered out. Another example isto filter out premises which are not scheduled for service activation orare not ready for service activation.

Once the possible premises have been narrowed down to relevant premises,characteristics of the signal from the communication device can beanalyzed to determine from which premises the signal is originating. Atstep 510, the signal received from the communication device may becompared with the signals of relevant premises. The signal may be awired signal such as a signal transmitted through a cable or a wirelesssignal. For example, the radio frequency (RF) signal received from thecommunication device and the RF signals received from premises near anestimated location of the communication device may be compared todetermine which RF signals match or closely match those originating fromthe communication device. The distance between a premises 102 a and alocal office 103 affect the characteristics of the signal. For wiredsignals, neighboring premises which have similar distances to the localnode 103 will likely produce signals with similar characteristics. Forexample, spectral characteristics and/or power characteristics of the RFsignals may be compared to determine how closely the signals resembleeach other.

As another example, a heartbeat or signature may be included in the RFsignal as a signal identifier. To determine the location from which thecommunication device signal is originating, the heartbeats or signaturesof the communication device signal and the relevant premises may becompared.

Based on a match or closest match, an originating premises for thesignal from the communication device may be determined or estimated atstep 512. The location information of the originating premises may be astreet address or a coordinate location such as the latitude andlongitude of the originating premises.

With respect to the feature of user or subscriber risk valuecalculation, FIG. 6 is a flow diagram showing an overview of a processof determining or predicting user behavior based on collected dataassociated with a user. At step 602, a plurality of components may becalculated. For example, a variety of individual components may be usedin the calculation. As another example, the components may be comprisedof sub-components, or the components may be grouped into differentcategories or primary components such as a device component, a networkcomponent, a location component, an account component, and a financecomponent. At step 604, a weight can be assigned to each componentdepending on the strength of the correlation between the component andan expected result. The expected result value can be calculated based onthe weighted components at step 606. At step 608, the expected resultvalue, which may be in the form of a score or graphical pattern, iscompared to predetermined behavior scores or patterns to determinecorrelations between the estimated result and the predetermined scoresor patterns. Depending on the correlation strengths, an expectationlevel is selected at step 610 that provides information on thelikelihood of a user behavior or an event occurring.

The process illustrated in FIG. 6 is advantageous in that a result canbe dynamically determined, for example, to provide information forimmediate or real-time decision making. Furthermore, the process shownin FIG. 6 is dynamic or adaptable in that the estimation level or modelmay respond to new or different information to provide updated results.

Turning to FIG. 7, FIG. 7 shows an example of applying the process ofFIG. 6 to determining whether an activation query or request would be anauthorized activation or a fraudulent activation based on theprobability or degree of risk associated with the activation query orrequest.

At step 702, the user or subscriber risk value may be based on one ormore primary components whose scores are calculated at step 702. Theremay be five primary components such as a device component, a networkcomponent, a location component, an account component, and a financecomponent. Each of the primary component values may be calculated basedon various subcomponents.

The device component may be calculated based on subcomponents includingthe device's activation history, a device type, a device identifier,boot or configuration file, number of associated accounts, and devicehistory. The device identifier may be a MAC address, serial number, oran International Mobile Equipment Identity (IMEI) number. For example,if the device has been activated on numerous accounts within a shortperiod of time, such an activation history may indicate abuse orunauthorized use. The activation history may be determined by the numberof IP addresses associated with the device within a given time period. AMAC address which is not associated with a known vendor may alsoindicate potentially unauthorized use or an unauthorized device. A bootfile or configuration file having a class of service which does notcorrespond to traffic rates may suggest unauthorized use or anunauthorized device. Having one device listed on multiple account mayalso suggest unauthorized use or an unauthorized device. A blacklisteddevice may further indicate fraudulent use. Based on thesesubcomponents, the device component value may reflect the degree towhich the activation history suggests abuse or unauthorized use.

The network component value may be based on the Internet Protocol (IP)address, CMTS connection, Dynamic Host Configuration Protocol (DHCP)information, Simple Network Management Protocol (SNMP) information, bootor configuration file information, MAC address, and head-endinformation. The network information gathered from the communicationdevice from which the activation request originated may be compared topreviously stored network information. The network information may beassociated with the account for which activation is requested.Conflicting gathered network information and stored network informationmay indicate a greater likelihood of an unauthorized or fraudulentactivation. The security server may also store network information whichhas been previously associated with fraudulent activation. For example,the security server may store IP addresses from which fraudulentrequests have previously originated.

The location component may be calculated based on information associatedwith the identified location of the device or the associated account.For example, if the determined device location does not match theservice location list in the account, such a discrepancy may suggestfraudulent service usage. Frequent high-risk financial component values,account component values, or device component values associated with theparticular device location may also suggest fraudulent usage. Acommunication device being located in a foreclosed premises may alsosuggest unauthorized or fraudulent usage.

The account component may be calculated based on whether the account isin good standing and the account history. For example, having a largenumber of devices associated with an account or having a blacklistedaccount may indicate a high potential of unauthorized or fraudulentusage. An account may be blacklisted based on a history of non-paymentsor late payments or based on a previous instance of unauthorized usage.An account associated with the user or the activation request may bedetermined based on identifying information including a street address,social security number, telephone number, e-mail address, IP address,and MAC address.

The finance component may be calculated based on the user's financialinformation such as whether previous account payments were late, whetherthe balance was paid in full, and the credit score of the user oraccount holder. For example, late payments and a poor credit score maysuggest a greater likelihood of an unauthorized activation.

Each component value may be a numerical value which reflects a risk offraudulent activity based on the size of the numerical value. Forexample, the larger the numerical score for each component the greaterthe likelihood that the activation may be fraudulent. Conversely, asmaller numerical value may also be used to signal a higher risk offraudulent activity.

At step 704, weights are assigned to each individual primary component.A primary component may be weighted more heavily if the calculatedcomponent value indicates a strong likelihood that the activation may bea fraudulent activation or anomalous behavior. For example, if acommunication device is associated with a large number of accountswithin a short period of time, such behavior may suggest unauthorized orfraudulent use. To account for a strong suggestion of unauthorized orfraudulent use, the device component may be weighted more heavily thanthe other components. Other components may also be weighted more heavilyif behavior or information associated with the corresponding componentsis associated with a strong suggestion of unauthorized or fraudulentuse.

The weights may be distributed equally among the primary components andmay be in the form of percentages or numerical values. For example, whenfive primary components are used in the subscriber risk scorecalculation, each primary component may be assigned a weight of 25% suchthat each primary component is weighted equally. In the case of heavierweighting for anomalous behavior or a strong suggestion of unauthorizeduse associated with a component, for example, the finance component, thefinance component may be assigned a much heavier weight compared to theother primary components. For example, the finance component may beassigned a weighting of at least 50% while the remaining primarycomponents are weighted equally or weighted according to theirrespective unauthorized usage potential.

Business rules may also dictate that certain behaviors or primarycomponent values are anomalous and considered to provide a clearindication of fraudulent use or an unreasonable risk of fraudulent use.A combination of values or behavior across different components may beused in detecting anomalous behavior. For example, an activation requestoriginating from a foreclosed premises combined with an activationrequest originating from a communication device having a MAC addressassociated with an account different than the account associated withthe request may be considered anomalous. Default primary componentweights may be used, and the weights of individual primary componentscontaining anomalous behavior can be adjusted to be more heavilyweighted. Another way of implementing consideration of business rulescan be to apply a filter for subscriber risk values which meet certainbusiness rules for anomalous behavior and disabling activation forsubscriber risk values captured by the filter. One or more componentsmay be filtered at a time.

Certain behavior or component scores or combinations of behavior andcomponent scores which may be considered to automatically indicate anunreasonable risk of fraudulent usage may be taken into account in thesubscriber risk score by heavily weighting the corresponding componentor components. An exceptionally high risk based on anomalous behavior orcomponent scores may result in automatically indicating the subscriberrisk score to correspond to a high risk.

At step 706, once the weights are assigned, the subscriber risk valuecan be calculated based on the individual primary components and theirrelative weightings. The user or subscriber risk value may be in theform of a score or a graphical pattern. The subscriber risk score may bea number value within a range which indicates the degree to which theactivation may potentially be unauthorized or fraudulent. A user orsubscriber risk pattern may be, for example, a two-dimensional patternwhich displays the values of the individual components overlaid on agraph or chart to show relationships between the individual componentswhere the individual component scores inform the shape of the pattern.An example of a subscriber risk pattern is shown in FIG. 10. A filterfor business rules may also be applied to the subscriber risk pattern todetect for a pattern that meets certain business rules for anomalousbehavior.

As described previously, each individual component may be composed of aplurality of subcomponents. Similar to the use of primary componentvalues in determining the subscriber value, the subcomponent values maybe weighted depending on importance in the calculation to determine thecorresponding individual component value.

At step 708, a subscriber risk value may be compared to at least onepredetermined value. A predetermined value may be in the form of ascore, a score range, or a graphical pattern, and each predeterminedscore, score range, or graphical pattern may indicate the likelihoodthat the activation request is an unauthorized request. For example, afirst predetermined score, score range, or pattern may indicate a highrisk or probability that the activation request is a fraudulent request.The first predetermined score, score range, or pattern may be based onscores or patterns of confirmed instances of fraudulent use. A secondpredetermined score, score range, or pattern may indicate a known mediumrisk or probability that the activation request is a fraudulent request.For example, a medium risk may indicate potentially fraudulent use. Athird predetermined score, score range, or pattern may indicate that theactivation request is unlikely to be fraudulent and may be categorizedas non-fraudulent. It is noted that any number of predetermined scores,score ranges, or patterns may be used depending on the level of detaildesired.

At step 710, a correlation is determined between the subscriber valueand the predetermined values by comparing the subscriber value to apredetermined value. The correlation provides information on theproximity of the score to a predetermined score or the degree to whichthe calculated graphical pattern matches the predetermined graphicalpattern. The correlation may be determined based on if the score matchesthe predetermined score within a target percentage or meets a thresholdof the predetermined score. The correlation may also be determined basedon whether the score falls within the predetermined score range. Forexample, on a scale of 0-100, a subscriber value between 75-100 may beconsidered to be a high risk. A subscriber value between 25-74 may beconsidered to be a medium risk, and a subscriber value between 0-24 maybe considered to be a low risk. The levels of high, medium, and lowrisks are used as examples, and a skilled person would appreciate thatany number of risk levels may be used. For a graphical pattern, thecorrelation may be determined based on how closely the shape or contoursof the pattern match those of a predetermined pattern and/or the surfacearea of the pattern.

At step 712, a risk level such as a high risk level, a medium risklevel, or a low risk level can be selected based on the correlation thatis, for example, the strongest. As an example, if the correlation of thesubscriber score or pattern is strongest to the high risk score orpattern, the activation request may be found to be high risk. In anotherexample, the activation request may be associated with a high risk ifthe subscriber risk score associated with the activation request fallswithin the high risk score range.

FIG. 8 shows possible action options based on the selected risk level.At step 802, the user's risk level which was determined in the methodillustrated in FIG. 7 is evaluated. If the user is considered to be alow risk for fraud, then activation can be enabled at step 804. If theactivation is considered to be medium risk, then the security system mayrequest additional information from the user at step 806 to recalculatethe subscriber risk value. A user terminal 128 can receive an alertregarding the medium risk subscriber and other security measures can beapplied at step 808. If the activation is considered to be high risk,security measures may be applied at step 810. The applied securitymeasures may include flagging the account, alerting security personnel,denying activation, and requesting the user contact security personnelto resolve any security issues. Security personnel may have a userinterface on the user terminal 128 which provides information on thecalculated subscriber value to assist the security personnel inresolving the security issue such as a fraud check screen.

FIG. 9 shows an example of a fraud check screen 900. An agent may enterthe user's information in input area 902 and be provided with animmediate risk rating in area 904. For example, inputted information mayinclude information associated with the user such as a IP address, MACaddress of a requesting device, account number, phone number, e-mailaddress, social security number, and street address information. Asdescribed herein, the subscriber value may comprise a number of primarycomponents. FIG. 9 shows the use of the previously discussed locationcomponent, device component, account component, network component,finance component, and a risk score. Based on entered and other receivedinformation, the fraud check screen may provide a graphicalrepresentation 904 (e.g., graph, chart, subscriber risk pattern) of thecomponent scores and the overall subscriber risk score 906. Thegraphical representation may provide the agent with information of therisk level indication of each individual component. Since the subscriberrisk value is calculated dynamically in real-time, security personnelare able to receive immediate feedback based on existing or newlyentered information as to whether the potential service activation islikely to be unauthorized and to proactively check for fraudulent usage.Additionally, users benefit from an immediate decision as to whetheractivation of a device or service will be allowed. The location awaresecurity system is also advantageous since much of the information usedin the subscriber risk value may be collected based on existinginformation or information otherwise available without requiring theuser to provide information at or before the time of activation or therequest for activation.

FIG. 10 illustrates an example of a calculated subscriber risk pattern1000. The pattern 1000 may be overlaid on a graph having an axis foreach primary component. The axes may extend from a central point and beevenly spaced radially. In the example graph, six primary components1002(a)-(f) are used such that the graph may have the shape of ahexagon. Each primary component score may be plotted along the axis ofthe respective primary component. For example, the previously discussedprimary components of network, location, account, financial, and deviceare provided with an axis. A lower primary component score, which mayindicate a lower risk of fraudulent activity, may be located nearer thecenter of the graph and a higher primary component score, which mayindicate a higher risk of fraudulent activity, may be plotted closer toan edge of the graph. By connecting the plotted points, a pattern isproduced. Relationships between values of primary components maydetermine the shape of a line connecting various plotted points.

Aspects of the disclosure have been described in terms of illustrativeembodiments thereof. While illustrative systems and methods as describedherein embodying various aspects of the present disclosure are shown, itwill be understood by those skilled in the art, that the disclosure isnot limited to these embodiments. Modifications may be made by thoseskilled in the art, particularly in light of the foregoing teachings.For example, each of the features of the aforementioned illustrativeexamples may be utilized alone or in combination or subcombination withelements of the other examples. For example, any of the above describedsystems and methods or parts thereof may be combined with the othermethods and systems or parts thereof described above. For example, thesteps illustrated in the illustrative figures may be performed in otherthan the recited order, and one or more steps illustrated may beoptional in accordance with aspects of the disclosure. It will also beappreciated and understood that modifications may be made withoutdeparting from the true spirit and scope of the present disclosure. Thedescription is thus to be regarded as illustrative instead ofrestrictive on the present disclosure.

1. A method comprising: receiving, by a computing device, a request fora service associated with a first user device; estimating a geographicallocation of the first user device by comparing a signal received fromthe first user device with at least one of a plurality of signalsreceived from a plurality of user devices associated with differentgeographical locations; and activating, based on the estimatedgeographical location of the first user device, the service.
 2. Themethod of claim 1, wherein the comparing comprises comparing spectralcharacteristics of the signal received from the first user device withspectral characteristics of each of the plurality of signals receivedfrom the plurality of user devices.
 3. The method of claim 1, whereinthe comparing comprises comparing power characteristics of the signalreceived from the first user device with power characteristics of eachof the plurality of signals received from the plurality of user devices.4. The method of claim 1, wherein the comparing comprises comparing aheartbeat included in the signal received from the first user devicewith heartbeats included in each of the plurality of signals receivedfrom the plurality of user devices.
 5. The method of claim 1, whereinthe comparing comprises comparing a signature included in the signalreceived from the first user device with signatures included in each ofthe plurality of signals received from the plurality of user devices. 6.The method of claim 1, further comprising: determining, by the computingdevice and based on the estimated geographical location, a securitylevel associated with the first user device, wherein the activating isbased on comparing the security level associated with the first userdevice with a threshold value.
 7. The method of claim 6, wherein thedetermining of the security level is further based on account statusinformation associated with the first user device.
 8. The method ofclaim 1, further comprising determining the plurality of user devices byfiltering a group of candidate user devices based on a type of the firstuser device.
 9. The method of claim 1, further comprising determiningthe plurality of user devices by filtering a group of candidate userdevices based on a determination of one or more premises scheduled forservice activation.
 10. The method of claim 1, wherein the plurality ofsignals are received via a wired network connecting the computing deviceto the plurality of user devices.
 11. The method of claim 1, whereineach of the plurality of user devices is associated with an activatedservice.
 12. An apparatus comprising: one or more processors; and memorystoring instructions that, when executed by the one or more processors,cause the apparatus to: receive a request for a service associated witha first user device; estimate a geographical location of the first userdevice by comparing a signal received from the first user device with atleast one of a plurality of signals received from a plurality of userdevices associated with different geographical locations; and activate,based on the estimated geographical location of the first user device,the service.
 13. The apparatus of claim 12, wherein the instructions,when executed by the one or more processors, cause the apparatus tocompare the signal received from the first user device with the at leastone of the plurality of signals received from the plurality of userdevices associated with different geographical locations by performingone or more of: comparing spectral characteristics of the signalreceived from the first user device with spectral characteristics ofeach of the plurality of signals received from the plurality of userdevices; comparing power characteristics of the signal received from thefirst user device with power characteristics of each of the plurality ofsignals received from the plurality of user devices; comparing aheartbeat included in the signal received from the first user devicewith heartbeats included in each of the plurality of signals receivedfrom the plurality of user devices; or comparing a signature included inthe signal received from the first user device with signatures includedin each of the plurality of signals received from the plurality of userdevices.
 14. The apparatus of claim 12, wherein the instructions, whenexecuted by the one or more processors, cause the apparatus to:determine, based on the estimated geographical location and based onaccount status information associated with the first user device, asecurity level associated with the first user device; and activate theservice by activating, based on comparing the security level associatedwith the first user device with a threshold value, the service.
 15. Theapparatus of claim 12, wherein the instructions, when executed by theone or more processors, cause the apparatus to determine the pluralityof user devices by filtering a group of candidate user devices based ona type of the first user device, based on a determination of one or morepremises scheduled for service activation, or based on a combinationthereof.
 16. The apparatus of claim 12, wherein the plurality of userdevices are connected to the apparatus via a wired network.
 17. One ormore non-transitory computer readable media comprising instructionsthat, when executed, cause: receiving a request for a service associatedwith a first user device; estimating a geographical location of thefirst user device by comparing a signal received from the first userdevice with at least one of a plurality of signals received from aplurality of user devices associated with different geographicallocations; and activating, based on the estimated geographical locationof the first user device, the service.
 18. The one or morenon-transitory computer readable media of claim 17, wherein theinstructions, when executed, cause comparing the signal received fromthe first user device with the at least one of the plurality of signalsreceived from the plurality of user devices associated with differentgeographical locations by causing one or more of: comparing spectralcharacteristics of the signal received from the first user device withspectral characteristics of each of the plurality of signals receivedfrom the plurality of user devices; comparing power characteristics ofthe signal received from the first user device with powercharacteristics of each of the plurality of signals received from theplurality of user devices; comparing a heartbeat included in the signalreceived from the first user device with heartbeats included in each ofthe plurality of signals received from the plurality of user devices; orcomparing a signature included in the signal received from the firstuser device with signatures included in each of the plurality of signalsreceived from the plurality of user devices.
 19. The one or morenon-transitory computer readable media of claim 17, wherein theinstructions, when executed: cause determining, based on the estimatedgeographical location and based on account status information associatedwith the first user device, a security level associated with the firstuser device; and cause the activating by causing activating, based oncomparing the security level associated with the first user device witha threshold value, the service.
 20. The one or more non-transitorycomputer readable media of claim 17, wherein the instructions, whenexecuted, cause determining the plurality of user devices by filtering agroup of candidate user devices based on a type of the first userdevice, based on a determination of one or more premises scheduled forservice activation, or based on a combination thereof.